Earlier this morning, a vulnerability was disclosed for Android phones performing a remote code execution over MMS. Dubbed “Stagefright“, the vulnerability exploits SMS/MMS clients by sending a malformed media file to the user which is automatically downloaded by the default client.
If you’re using Google Hangouts as your default SMS client, here’s how to protect your device from Stagefright by disabling automatic downloading of media files sent via MMS:
Here’s how to protect your phone from the Stagefright bug if you’re using Google Messenger (the default SMS client for Android 5.0+):
The above screenshots were taken on a Nexus 5, but the steps are the same on any Android device using Hangouts or Messenger. To disable Auto Retrieve MMS in the default SMS client on the Samsung Galaxy S6, go to:
- Messages app
- More
- Settings
- More settings
- Multimedia messages
- Auto retrieve
More on the Stagefright Hack
Here’s how the attack would work: The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it’s received by the phone, Drake says, “it does its initial processing, which triggers the vulnerability…”
Once the attackers get in, Drake says, they’d be able do anything — copy data, delete it, take over your microphone and camera to monitor your every word and move. “It’s really up to their imagination what they do once they get in,” he says.
Disabling Auto Retrieve MMS will partially mitigate this vulnerability ahead of the official patch release. All MMS media files will require a click in order to be viewed, but disabling this feature will prevent an attack from automatically executing on your phone. Turning off this feature does not fix the exploit entirely. So long as the bug exists, your Android device remains vulnerable and can be hacked if a malformed media file is downloaded by clicking on it. This vulnerability will not be completely fixed until a patch is released for your device, but this intermediate step can help mitigate the threat in the meantime.
by Greg Baugues
See Full Story on twilio.com
Leave a Reply